Re: TESO & C-Skills development advisory -- imwheel

[whitevampire () MINDLESS COM (WHiTe VaMPiRe)]

On Thu, Mar 16, 2000 at 02:38:47PM +0100, Sebastian(krahmer () CS UNI-POTSDAM DE) wrote:
: TESO Security Advisory
: 2000/03/13
: 
: imwheel local root compromise

        The Slackware package available from Linuxmafia.org
(http://linuxmafia.org/pcentral/search_view.php3?name=imwheel) is not
effected by this, as it does not package with the SUID wrapper.  (The
binary included is also not set SUID.) This is with version 0.9.6 of
imwheel.

        A SUID wrapper should simply not be necessary in the first
place.

        As far as I can tell the standard package of imwheel 0.9.7 does
not have a wrapper.  However, during 'installation,' it will prompt you
asking whether or not to install SUID.

An excerpt from the Makefile:

        ## Setting UID, this is best for non-root usage!
        ## This does not effect usage for root users. (duh!)
        ## This gives all users kill privileges for other imwheel processes.

        Judging from that, if you setup imwheel to be started via the
users' xinit scripts, and killed upon logout, it would have the same
function.

        To reiterate, SUID is just a quick cop-out for a better 
setup.  If it is a one-user desktop machine, even less than that would
have to be done.

Regards,

-- 
    __      ______   ____
   /  \    /  \   \ /   / WHiTe VaMPiRe\Rem
   \   \/\/   /\   Y   /  whitevampire () mindless com
    \        /  \     /   http://www.projectgamma.com/
     \__/\  /    \___/    http://www.gammaforce.org/
          \/ "Silly hacker, root is for administrators."


<HR NOSHADE>
<UL>
<LI>application/pgp-signature attachment: stored
</UL>